Product Security

Qualcomm Product Security

We, Qualcomm Incorporated and its subsidiaries, understand that maintaining a large variety of products comes with certain responsibilities. Therefore, we take security vulnerabilities very seriously and always seek to respond appropriately.

Join Our Team


Product Security Engineer (US location)


Product Security Engineer (EU location)


Hardware Security engineer (India location)    

Reporting Security Vulnerabilities

If you have found a potential security issue in any Qualcomm® product or software, please contact us via email:

People who submit high-quality reports are often invited to our Vulnerability Rewards Program. You may also request to be invited even without submitting a report first, if you send us some references (CVE ID, IDs with public references from other programs) that provide evidence that you already successfully submitted vulnerability reports to other programs. Please contact us via to request an invitation.

For encrypted communication, you may use our public key.

We will do our best to respond within a maximum of 48 hours. But if you do not receive a response within this time frame, please feel free to follow up with us to ensure that we have received your original report.

Report Details

The following information will help us to evaluate your submission as quickly as possible. If available, please include in your report:

  • Vulnerability type (buffer overflow, integer overflow, …)
  • Issue impact (arbitrary code execution, information disclosure, …)
  • Affected product and version
  • Instructions to reproduce the issue
  • A proof-of-concept (PoC)

Publication of Vulnerabilities

We regularly issue security bulletins to our customers in order to share security vulnerabilities and related code modifications. As an active member of Code Aurora Forum (CAF), Qualcomm Innovation Center, Inc. also shares reports of security vulnerabilities with CAF and the open source community. Such communications will oftentimes include description of issues, their severity based on our vulnerability rating guidelines and attributions to reporters of those vulnerabilities unless those reporters request otherwise.